CVE-2023-28708
First published: Wed Mar 22 2023(Updated: )
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tomcat | <8.5.86 | 8.5.86 |
| redhat/tomcat | <9.0.72 | 9.0.72 |
| redhat/tomcat | <10.1.6 | 10.1.6 |
| redhat/tomcat | <11.0.0 | 11.0.0 |
| IBM Watson Knowledge Catalog | <=4.x | |
| Tomcat | >=8.5.0<8.5.86 | |
| Tomcat | >9.0.0<9.0.72 | |
| Tomcat | >10.1.0<10.1.6 | |
| Tomcat | =11.0.0-milestone1 | |
| Tomcat | =11.0.0-milestone2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/250740
- https://www.ibm.com/support/pages/node/7009747 (Advisory)
- https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
- https://access.redhat.com/security/cve/CVE-2023-28708
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.86
- https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
- https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2181441
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2181442
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2181443
- https://access.redhat.com/errata/RHSA-2023:4909
- https://access.redhat.com/errata/RHSA-2023:4910
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2180856#c9
- https://access.redhat.com/errata/RHSA-2023:6570
- https://access.redhat.com/errata/RHSA-2023:7065
- https://bugzilla.redhat.com/show_bug.cgi?id=2180856
Frequently Asked Questions
What is the CVE ID of this vulnerability?
CVE-2023-28708
What is the severity of CVE-2023-28708?
The severity of CVE-2023-28708 is high with a score of 7.5.
How does this vulnerability occur?
This vulnerability occurs when using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https.
Which versions of Apache Tomcat are affected by this vulnerability?
Apache Tomcat versions 8.5.0 to 8.5.85, 9.0.0-M1 to 9.0.71, 10.1.0-M1 to 10.1.5, and 11.0.0-M1 to 11.0.0.-M2 are affected by this vulnerability.
How can I fix CVE-2023-28708?
To fix CVE-2023-28708, update Apache Tomcat to version 8.5.86, 9.0.72, 10.1.6, or 11.0.0 or later.
- agent/type
- agent/first-publish-date
- agent/references
- agent/remedy
- agent/author
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-28708
- agent/software-canonical-lookup
- agent/trending
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- agent/last-modified-date
- agent/source
- agent/tags
- agent/description
- agent/softwarecombine
- agent/event
- collector/nvd-api
- source/NVD
- collector/nvd-index
- package-manager/redhat
- vendor/ibm
- canonical/ibm watson knowledge catalog
- version/ibm watson knowledge catalog/4.x
- vendor/apache
- canonical/tomcat
- version/tomcat/8.5.0
- version/tomcat/11.0.0-milestone1
- version/tomcat/11.0.0-milestone2